Getting Access to Generative AI Agents
You can get access to Generative AI Agents resources with OCI Identity and Access Management (IAM) policies.
By default, only users in the Administrators group have access to all OCI resources including Generative AI Agents resources. If you’re a member of another
group, ask your administrator to assign you the least privileges that are required to perform
your responsibilities by reviewing the following sections.
Getting Access to Generative AI Agents
- Access to Generative AI Agents Agents, Knowledge Bases, Data Sources, Data Ingestion Jobs, Agent sessions, Agent Work Requests, and Endpoints
-
- To get access to all Generative AI Agents resources
in the entire tenancy, use the following
policy:
allow group <your-group-name> to manage genai-agent-family in tenancy - To get access to all Generative AI Agents resources
in your compartment, use the following
policy:
allow group <your-group-name> to manage genai-agent-family in compartment <your-compartment-name>
- To get access to all Generative AI Agents resources
in the entire tenancy, use the following
policy:
- Access to Object Storage files to use as Data Sources for the Agents
-
If you are using Object Storage buckets to store the files for the agents, you need permission to list and choose those objects for your agents.
- To allow users to add Object Storage files to their knowledge
bases:
allow group <your-group-name> to manage object-family in compartment <compartment-with-bucket>
- To allow users to add Object Storage files to their knowledge
bases:
Ask your administrator to review the examples in Securing Object Storage and add policies that apply to you such as policies to avoid accidental deleting of buckets that contain training data.
The following sections list the permissions required for each operation in Generative AI.
Resource-Types
Generative AI Agents has the following individual resource-types, and you can assign different permissions to different user groups based on how they can use these resources:
genai-agent: An agentgenai-agent-knowledge-base: The knowledge base associated with an agent.genai-agent-data-source: The data source associated with a knowledge basegenai-agent-data-ingestion-job: The job that ingests data from a data source.genai-agent-endpoint: An endpoint to access the agentgenai-agent-work-request: The work request for Generative AI Agents operationsgenai-agent-session: An agent's chat session
Instead of giving permission to Generative AI Agents
individual resource types, you can use the aggregate resource type,
genai-agent-family to include all seven Generative AI Agents resource types, for example:
allow group <genai-agent-administrators> to manage genai-agent-family in tenancy| Aggregate Resource-Type | Included Individual Resource-Types |
|---|---|
genai-agent-family |
|
Details for Verb + Resource-Type Combinations
This section lists the permissions for Generative AI Agents operations.
The level of access is cumulative as you go from inspect to
read to use to manage.
For example, if you have permission to the manage permission for the
genai-agent-endpoint resource type, you can list, get details for,
create, and delete endpoints. You don't require another permission to
inspect the endpoints.
genai-agent
| Permission | API Operation | Operation Type | Verb |
|---|---|---|---|
GENAI_AGENT_INSPECT |
ListAgents |
GET |
inspect |
GENAI_AGENT_READ |
GetAgent |
GET |
read |
GENAI_AGENT_UPDATE |
UpdateAgent |
PUT |
use |
GENAI_AGENT_MOVE |
ChangeAgentCompartment |
POST |
manage |
GENAI_AGENT_CREATE |
CreateAgent |
POST |
manage |
GENAI_AGENT_DELETE |
DeleteAgent |
DELETE |
manage |
allow group GenAI-agents-users to use genai-agent in compartment GenAI-agents-compartmentgenai-agent-knowledge-base
| Permission | API Operation | Operation Type | Verb |
|---|---|---|---|
GENAI_AGENT_KNOWLEDGE_BASE_INSPECT |
ListKnowledgeBases |
GET |
inspect |
GENAI_AGENT_KNOWLEDGE_BASE_READ |
GetKnowledgeBase |
GET |
read |
GENAI_AGENT_KNOWLEDGE_BASE_UPDATE |
UpdateKnowledgeBase |
PUT |
use |
GENAI_AGENT_KNOWLEDGE_BASE_MOVE |
ChangeKnowledgeBaseCompartment |
POST |
manage |
GENAI_AGENT_KNOWLEDGE_BASE_CREATE |
CreateKnowledgeBase |
POST |
manage |
GENAI_AGENT_KNOWLEDGE_BASE_DELETE |
DeleteKnowledgeBase |
DELETE |
manage |
allow group GenAI-agents-users to manage genai-agent-knowledge-base in compartment GenAI-agents-compartmentgenai-agent-data-source
| Permission | API Operation | Operation Type | Verb |
|---|---|---|---|
GENAI_AGENT_DATASOURCE_INSPECT |
ListDataSources |
GET |
inspect |
GENAI_AGENT_DATASOURCE_READ |
GetDataSource |
GET |
read |
GENAI_AGENT_DATASOURCE_UPDATE |
UpdateDataSource |
PUT |
use |
AGENT_DATASOURCE_MOVE |
ChangeDataSourceCompartment |
POST |
manage |
GENAI_AGENT_DATASOURCE_CREATE |
CreateDataSource |
POST |
manage |
GENAI_AGENT_DATASOURCE_DELETE |
DeleteDataSource |
DELETE |
manage |
allow group GenAI-agents-users to inspect genai-agent-data-source in compartment GenAI-agents-compartmentgenai-agent-data-ingestion-job
| Permission | API Operation | Operation Type | Verb |
|---|---|---|---|
GENAI_AGENT_DATA_INGESTION_JOB_INSPECT |
ListDataIngestionJobs |
GET |
inspect |
GENAI_AGENT_DATA_INGESTION_JOB_READ |
GetDataIngestionJob |
GET |
read |
GENAI_AGENT_DATA_INGESTION_JOB_UPDATE |
UpdateDataIngestionJob |
PUT |
use |
GENAI_AGENT_DATA_INGESTION_JOB_MOVE |
ChangeDataIngestionJobCompartment |
POST |
use |
GENAI_AGENT_DATA_INGESTION_JOB_CREATE |
CreateDataIngestionJob |
POST |
manage |
GENAI_AGENT_DATA_INGESTION_JOB_DELETE |
DeleteDataIngestionJob |
DELETE |
manage |
allow group GenAI-agents-users to inspect genai-agent-data-ingestion-job in compartment GenAI-agents-compartmentgenai-agent-endpoint
| Permission | API Operation | Operation Type | Verb |
|---|---|---|---|
GENAI_AGENT_ENDPOINT_INSPECT |
ListAgentEndpoints |
GET |
inspect |
GENAI_AGENT_ENDPOINT_READ |
GetAgentEndpoint |
GET |
read |
GENAI_AGENT_ENDPOINT_UPDATE |
UpdateAgentEndpoint |
PUT |
use |
GENAI_AGENT_ENDPOINT_MOVE |
ChangeAgentEndpointCompartment |
POST |
use |
GENAI_AGENT_ENDPOINT_CREATE |
CreateAgentEndpoint |
POST |
manage |
GENAI_AGENT_ENDPOINT_DELETE |
DeleteAgentEndpoint |
DELETE |
manage |
allow group GenAI-agents-users to manage genai-agent-endpoint in compartment GenAI-agents-compartmentgenai-agent-work-request
| Permission | API Operation | Operation Type | Verb |
|---|---|---|---|
GENAI_AGENT_WORK_REQUEST_INSPECT |
ListWorkRequests |
GET |
inspect |
GENAI_AGENT_WORK_REQUEST_READ |
GetWorkRequest |
GET |
read |
GENAI_AGENT_WORK_REQUEST_ERRORS_READ |
GetWorkRequestErrors |
GET |
read |
GENAI_AGENT_WORK_REQUEST_LOGS_READ |
GetWorkRequestLogs |
GET |
read |
allow group GenAI-agents-users to read genai-agent-work-request in compartment GenAI-agents-compartmentgenai-agent-session
| Permission | API Operation | Operation Type | Verb |
|---|---|---|---|
GENAI_AGENT_SESSION_INSPECT |
ListSessions |
GET |
inspect |
GENAI_AGENT_SESSION_READ |
GetSession |
GET |
read |
GENAI_AGENT_SESSION_UPDATE |
UpdateSession |
PUT |
use |
GENAI_AGENT_SESSION_CREATE |
CreateSession |
POST |
manage |
GENAI_AGENT_SESSION_END |
EndSession |
POST |
manage |
GENAI_AGENT_SESSION_EXECUTE |
ExecuteSession |
POST |
manage |
GENAI_AGENT_SESSION_DELETE |
DeleteSession |
DELETE |
manage |
allow group GenAI-agents-users to manage genai-agent-session in compartment GenAI-agents-compartmentPermissions Required for Each API Operation
The following table lists the permissions required for Generative AI Agents API operations.
| API Operation | Permissions Required to Use the Operation |
|---|---|
ListAgents |
GENAI_AGENT_INSPECT |
GetAgent |
GENAI_AGENT_READ |
UpdateAgent |
GENAI_AGENT_UPDATE |
ChangeAgentCompartment |
GENAI_AGENT_MOVE |
CreateAgent |
GENAI_AGENT_CREATE |
DeleteAgent |
GENAI_AGENT_DELETE |
ListKnowledgeBases |
GENAI_AGENT_KNOWLEDGE_BASE_INSPECT |
GetKnowledgeBase |
GENAI_AGENT_KNOWLEDGE_BASE_READ |
UpdateKnowledgeBase |
GENAI_AGENT_KNOWLEDGE_BASE_UPDATE |
ChangeKnowledgeBaseCompartment |
GENAI_AGENT_KNOWLEDGE_BASE_MOVE |
CreateKnowledgeBase |
GENAI_AGENT_KNOWLEDGE_BASE_CREATE |
DeleteKnowledgeBase |
GENAI_AGENT_KNOWLEDGE_BASE_DELETE |
ListDataSources |
GENAI_AGENT_DATASOURCE_INSPECT |
GetDataSource |
GENAI_AGENT_DATASOURCE_READ |
UpdateDataSource |
GENAI_AGENT_DATASOURCE_UPDATE |
ChangeDataSourceCompartment |
AGENT_DATASOURCE_MOVE |
CreateDataSource |
GENAI_AGENT_DATASOURCE_CREATE |
DeleteDataSource |
GENAI_AGENT_DATASOURCE_DELETE |
ListDataIngestionJobs |
GENAI_AGENT_DATA_INGESTION_JOB_INSPECT |
GetDataIngestionJob |
GENAI_AGENT_DATA_INGESTION_JOB_READ |
UpdateDataIngestionJob |
GENAI_AGENT_DATA_INGESTION_JOB_UPDATE |
ChangeDataIngestionJobCompartment |
GENAI_AGENT_DATA_INGESTION_JOB_MOVE |
CreateDataIngestionJob |
GENAI_AGENT_DATA_INGESTION_JOB_CREATE |
DeleteDataIngestionJob |
GENAI_AGENT_DATA_INGESTION_JOB_DELETE |
ListAgentEndpoints |
GENAI_AGENT_ENDPOINT_INSPECT |
GetAgentEndpoint |
GENAI_AGENT_ENDPOINT_READ |
UpdateAgentEndpoint |
GENAI_AGENT_ENDPOINT_UPDATE |
ChangeAgentEndpointCompartment |
GENAI_AGENT_ENDPOINT_MOVE |
CreateAgentEndpoint |
AGENAI_AGENT_ENDPOINT_CREATE |
DeleteAgentEndpoint |
GENAI_AGENT_ENDPOINT_DELETE |
ListWorkRequests |
GENAI_AGENT_WORK_REQUEST_INSPECT |
GetWorkRequest |
GENAI_AGENT_WORK_REQUEST_READ |
GetWorkRequestErrors |
GENAI_AGENT_WORK_REQUEST_ERRORS_READ |
GetWorkRequestLogs |
GENAI_AGENT_WORK_REQUEST_LOGS_READ |
ListSessions |
GENAI_AGENT_SESSION_INSPECT |
GetSession |
GENAI_AGENT_SESSION_READ |
UpdateSession |
GENAI_AGENT_SESSION_UPDATE |
CreateSession |
GENAI_AGENT_SESSION_CREATE |
EndSession |
GENAI_AGENT_SESSION_END |
ExecuteSession |
GENAI_AGENT_SESSION_EXECUTE |
DeleteSession |
GENAI_AGENT_SESSION_DELETE |